ClawHub

Migrator

v1.1.0

Securely migrate OpenClaw Agent (config, memory, skills) to a new machine.

1· 1.7k·2 current·2 all-time
by@wenjie2024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to migrate OpenClaw agent state; code implements exporting ~/.openclaw and ~/.clawdbot, building an encrypted archive, and restoring with path healing. Requested resources (home paths, optional MIGRATOR_PASSWORD) match that purpose.
Instruction Scope
SKILL.md simply documents export/import usage and notes sensitive files. Runtime code reads local agent files, writes an encrypted archive, and restores locally — no instructions or code to read unrelated system locations, call external endpoints, or exfiltrate data.
Install Mechanism
There is no install spec in the registry (instruction-only), yet the package includes full Node.js source and package.json. That is not dangerous by itself but means the tool needs npm/node to run; if you install it locally you will run npm install which fetches listed dependencies (archiver, tar, fs-extra, commander) from npm.
Credentials
The tool uses only local environment (HOME, optional MIGRATOR_PASSWORD or --password). It does not request unrelated API keys, tokens, or cloud credentials. The included test/mock files contain a dummy API key for testing only.
Persistence & Privilege
Skill does not request permanent/always-on presence. CLI drivers present in files run only when executed directly; there is no code that attempts to modify other skills or global agent config.
Assessment
This package appears to implement a local, encrypted migration utility and is internally consistent. Before installing or running it: 1) Verify the source — no homepage/repository is listed in the registry metadata, so prefer obtaining it from a trusted repo if possible. 2) Inspect the package.json and source (already included) and prefer running it in a non-privileged account. 3) Use a strong password when exporting archives and keep backups of originals until a successful test restore is completed. 4) If you run npm install to enable the CLI, be aware that npm will fetch third-party dependencies (archiver, tar, fs-extra, commander) — only install if you trust those packages and your network. 5) The test/mock data includes a placeholder API key — ensure you do not accidentally import test data into a production config. Overall: coherent and matches its stated purpose, but exercise the usual caution installing/running code from an unknown publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk972gjcx67gr2jqfaqhb5frqa580eafh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments